AEPD (Spain) - PS/00194/2020: Difference between revisions

From GDPRhub
mNo edit summary
 
(2 intermediate revisions by one other user not shown)
Line 7: Line 7:
|DPA_With_Country=AEPD (Spain)
|DPA_With_Country=AEPD (Spain)


|Case_Number_Name=PS-00194-2020
|Case_Number_Name=PS/00194/2020
|ECLI=
|ECLI=



Latest revision as of 14:09, 13 December 2023

AEPD - PS/00194/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 23.10.2020
Published:
Fine: 2000 EUR
Parties: CABRERA & GIL ABOGADOS, S.L.P
National Case Number/Name: PS/00194/2020
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Francesc Julve Falcó

An individual lodged a complaint with the Spanish DPA (AEPD) for considering the processing of his personal data by a law firm contrary to data protection regulations (Article 6 GDPR).

English Summary

Facts

A lawyer from the Cabrera y Gil law firm, sent a letter to a third company, providing the knowledge of the personal data and private address without the knowledge or consent of the data subject for that purpose, being that company totally unrelated to the applicant, without any corporate, labour or shareholder relationship or any other relation.

The law firm in question sent a reply to the AEPD's request for information, claiming that the procedure for security breach and/or leakage of confidential information and personal data of the company itself had been carried out.

They also justified that all processing of personal data was carried out for the purpose of providing legal defense and representation before the courts, as provided for in Article 24 of the Spanish Constitution. At the same time, they replied that the protection of information has been carried out in a correct manner, respecting the three basic principles: confidentiality. integrity and availability.

From the law firm, they defend that the processing of data serves a legitimate purpose as set out in Article 6 (1) (f) GDPR, since it is necessary to carry out their work of defence and legal representation.

Dispute

Is the processing of personal data for legal defense purposes a situation that complies with legitimate purposes, as stated in article 6 (1) (f) GDPR?

Holding

On 20/07/20, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the entity complained of for failing to comply with the provisions of the regulations in force and imposing on the entity complained of a sanction of EUR 2000 (two thousand euros) for the infringement of Article 6 of the RGPD.


Comment

On 29/07/20, the claimed entity has proceeded to pay the penalty in the amount of EUR 1600 (one thousand six hundred euros) using one of the two reductions (20%), as a voluntary payment option without recognition of liability.

Therefore, the company complained of desists from lodging any appeal against the sanction, but at the same time refuses to acknowledge its responsibility in the matter in question.


Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/10









     Procedure No.: PS / 00194/2020
938-0419



RESOLUTION OF TERMINATION OF THE PROCEDURE BY EARLY PAYMENT

In the sanctioning procedure PS / 00194/2020, instructed by the Spanish Agency for
Data Protection, to the entity, CABRERA & GIL ABOGADOS, S.L.P. with CIF .:
B84220193, (hereinafter, “the claimed entity”), by virtue of the complaint filed

by A.A.A., (hereinafter, “the claimant”) and based on the following:

                                   BACKGROUND

FIRST: On 03/19/19, you entered this Agency, complaint filed

by the claimant in which it indicated, among others, the following:

“On January 11, 2019, a lawyer from the Cabera y Gil law firm sent the letter
that accompanied the company *** COMPANY.1 and to whom he subscribes, putting in his
I know my personal data and home address without my knowledge and

consent to this, said company being totally unrelated to the appearing party,
without corporate, labor, shareholding or any other relationship ”.

A copy of the letter sent by the Firm is attached to the claim document.
de Abogados Cabrera & Gil, addressed to the claimant, with a copy ("w / copy"), to the entity

*** COMPANY.1, in which they contact him, on behalf of his client,
*** COMPANY.2, in relation to the lawsuit presented.

SECOND: In view of the facts set forth in the claim and the documents
provided by the claimant, the Subdirectorate General for Data Inspection proceeded

to carry out actions for its clarification, under the powers of
investigation granted to the control authorities in article 57.1 of the Regulation
(EU) 2016/679 (RGPD). Thus, dated 05/15/19, an informative request is addressed to
the claimed entity.


THIRD: On 06/06/19, the claimed entity sends this Agency in writing
in which, among others, it indicates:

“We present the facts that are inserted in the claim: -a lawyer from the firm-
cho de abogados Cabrera & Gil Abogados, S.L.P. has sent a burofax to the company

*** COMPANY.1 addressed to the claimant (your personal data is indicated at the top
nales: name. surname and postal address) on behalf of your client, the company
*** COMPANY.2, of which he claims he was a partner in the past. The claimant criticizes that
your personal data is being disclosed to the aforementioned company *** COMPANY.1
with which it does not maintain any type of relationship (neither corporate, labor nor shareholder).


The first decision taken regarding this claim was to activate the protocol
colo of security breach and / or leak of confidential information and personal data
implemented by Cabrera & Gil Abogados SLP, which is provided as (document no.
mere 2).


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/10








This protocol contains the following action parameters:

1.- Whoever has had knowledge of an incident. related to personal data-

them. report the situation internally without delay, communicating it to the management team
tive. 2.- An internal audit will be carried out within the first 6 hours
3.- An external audit will be carried out if deemed necessary
4.- An estimate of the impact will be made.
5.- In the event that we are faced with a leak of personal data
significant and / or seriously jeopardizing the rights or freedoms of the person.

In accordance with the RGPD, the security violation will be notified to the AEPD
6.- Taking measures to mitigate the leak or security breach.
7.- Evaluation of the result and the effectiveness of the actions taken.

The corresponding act has been drawn up of the activation of the action protocol

whose certificate is attached as [document number 3) dated May 20,
2019:
The agreements and assessments taken as a result of the activation of the protocol
Color of breach and / or information leak are the following:

The communication has been made by the AEPD. on May 10, 2019; Denun-

ciant: A.A.A .; Data Processing Registry. *** COMPANY. 2 filing of requests
lla.

Facts: "- A lawyer from the law firm Cabrera & Gil Abogados S.L.P. has
sent a burofax to the company *** COMPANY.1 addressed to the claimant (in the upper part

above, your personal data is indicated: name, surname and postal address) in the name
of his client, the company *** EMPRESA.2, of which they affirm that he was a partner in the
past.

The claimant criticizes that their personal data is being disclosed to the aforementioned

company *** COMPANY.1, with which it does not have any type of relationship (or corporate
estuary. neither labor nor stock).

After conducting the internal audit, within the first six hours, it is determined that no
no information has been stolen. There is no leak. They are not affected
entities or persons. There is no information leak for which there is no responsible party.


A.A.A. has been the subject of a complaint by the company *** COMPANY. 2 cu-
We defend interests. It is attached as (Doc. 4) acknowledgment of receipt before the jurisdiction
penal. and as (Doc. 5) complaint presented before the criminal jurisdiction.


The presentation of said claim in the AEPD against “Cabrera & Gil Abogados.
SLP ”is in response to and in retaliation for the complaint filed on February 28,
2019 in defense of the rights and interests of our client. one month before
claim before the AEPD. A.A.A. is a partner of *** EMPRESA.2 and has been represented
legal entity of the company *** COMPANY.2 is attached as (Doc. 6) power of attorney

tion and in direct relationship with *** COMPANY.1 of which it has been and is the representative of
done. The complaint is filed among other reasons for this in direct relation to
unfair competition.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/10








Action protocols related to confidentiality agreements are reviewed.
quality and treatment of data transferred by the company *** COMPANY.2 as responsible
of transferred data and Cabrera & Gil SLP as assignee and in charge of the treatment of

data to defend your rights. As well as internal agreements and other protocols
with the dispatch personnel and the person responsible and authorized to carry the
proceedings. It is provided as (Doc. 7) confidentiality agreement and data transfer
between client as responsible and office as data controller. Be it by-
as (Doc. 8), confidentiality agreement and data processing by la-
boral assigned to the office signed by B.B.B .. Provided as (Doc. 9) Record of

Treatment activities for clients with *** COMPANY. 2.

All requests made to A.A.A. has been in quality and related to its
representation of legal persons either *** COMPANY.2 or *** COMPANY.1
Article 19 of the LOPD is applicable.


As we have said since February 28, 2019, a
complaint before the criminal courts against A.A.A. so the personal data
object of treatment have been obtained in legitimate interest.

The claim is dated March 19, 2019, so this is one month after the

filing of the complaint. The provisions regarding the lawfulness of the
data. both the consent of the interested party who is *** COMPANY.2 and responsible
treatment, as in relation to A.A.A. because it is covered by a provision
legal, as is established in the Criminal Procedure Law article 277 in relation to
compliance with the provisions of the articles of the Criminal Code and legitimation in the interests of

law determined in the effective judicial protection of article 24 of the EC, all of
in accordance with the articles in article 6.1 RGPD and 8 of the LOPD.

The protection of the information has been carried out correctly, respecting the
three basic principles: confidentiality. integrity and availability.


Confidentiality, the information is accessible only by authorized personnel.
c: B.B.B. and by C.C.C ..

The integrity of the information, the information is correct and is free of modifications
nests and mistakes. The complaint is precisely to denounce their responsibility as

de facto representative with the company *** COMPANY.1

Disponibility. The information is accessible to authorized persons or systems
zed when necessary. The management team does not consider the audit necessary
external depending on gravity. size, filtration level.


The impact estimate is level 0. It has been taken into account first, if in
the leakage of information, whether or not there is personal data and their level.

Reputational damages.- There are no reputational damages. Level 0.

Regulatory consequences that entail financial, administrative,
criminal, civil, deontological. Level 0. Economic valuation - level 0.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/10








We are not in the case of data of a significant personal nature and / or that
seriously jeopardizes the rights or freedoms of the person, in accordance with the Re-
European Data Protection Regulation. Therefore, it is not necessary to notify the violation.

lation of security to the AEPD or notify the interested party.

Taking measures to mitigate the leak or security breach. All the me-
decisions taken by the management team.

The evaluation of the result and the effectiveness of the actions taken. The effectiveness of

The actions taken have been positive and were within the valid legality
people, however, the implementation of more rigorous measures to prevent
deal with any damage as far as possible.

Second.- It is not found in the cases of exercises of the regulated rights

in articles 15 to 22 of the RGPD.

Third.- The facts provided to the contrary, object of the claim dated 19
March 2019 are the following already mentioned:

A lawyer from the law firm CABRERA & GIL ABOGADOS S.L.P. has in-

Viado a burofax & the company *** COMPANY.1. addressed by the claimant (in the upper part
above, your personal data is indicated: name, surname and postal address) in the name
of his client, the company *** EMPRESA.2, of which they affirm that he was a partner in the
past. - The claimant criticizes that their personal data is being disclosed to the
mentioned company *** COMPANY.1 with which it does not maintain any type of relationship

(neither corporate, labor nor shareholder).

The facts are motivated in response to the complaint dated February 28,
2019 that this office has presented before the criminal jurisdiction: On February 28,
In 2019, the company *** EMPRESA.2 (complainant), filed a complaint, in the form of

ma and with the requirements indicated in article 277 and concordant of the Law of
Criminal Prosecution, against A.A.A. (defendant). From the point of view of
data protection and its legitimacy to initiate it is fully justified
from the evidentiary point of view, by the various documents related in the
point first.


The legitimacy of “Cabrera & Gil Abogados, S.L.P for the possession of personal data
sonal. and its treatment, is justified from two aspects, by a
hand, from the effective judicial protection that our client *** COMPANY.2 has to defend
deed from unlawful actions and omissions by A.A.A. and whose “consent
express consent 'is included in the confidentiality and data transfer agreement as

responsible for treatment; on the other hand, it would be justified according to the interest
legitimate. included in article 6 of the RGPD and 8 of the LOPD, and that the law of prosecution-
criminal procedure in relation to the penal code (articles 252, 253 and 248.1) gives
ture to that possession and transfer of personal data to the Judicial Bodies and to the investigation
investigation of the facts in which other entities or persons are related

legal or physical activities, such as the case of *** COMPANY.1, especially when it is the
pia public administration through the DGT (General Directorate of Traffic) which '
puts on the track 'that A.A.A., is using an account of
which is the owner together with *** EMPRESA.1 so that, causing deception in the DGT,

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/10








gresen in it, money that corresponds to *** COMPANY. 2. It is provided as
(Doc. 10) email from the D.G.T. The complaint is requested as diligence
investigation of the account holders from the BBVA Bank. A.A.A. missing

the truth when he 'hints' that he is not a member of *** COMPANY.2, causing an error in
as far as the data may be inaccurate.

This person has been and is a partner of *** COMPANY.2, and as we have said, he has been
Legal representative of the company *** COMPANY. 2. On October 20, 2005,
Power of attorney was granted to the defendant today, by the company *** EMPRESA.2,

with full powers to manage its assets, by virtue of a deed
power of attorney granted on said date, authorized before the Madrid Notary.

The power of attorney was revoked due to the company's detection of improper use and
for their own benefit, and their employment relationship was terminated, the object of which

nuncia in the complaint. The data is treated in a lawful, loyal and transparent manner in
relationship with the interested party. They have been collected for specific purposes. explicit and le-
to defend the rights of our client by filing a complaint with
date prior to filing the claim with the AEPD and they have not been treated
subsequently inconsistently.


In addition, the data as we have seen are adequate, pertinent and limited.
to what is necessary in relation to the purposes for which they have been treated in accordance with
the principle of data minimization; They are exact and updated data.

The claimant criticizes that their personal data is being disclosed to the aforementioned

company *** COMPANY.1 with which it does not have any type of relationship or corporate
neither labor nor stock. Precisely the complaint also deals with conduct of
unfair competition 248.1 of the Penal Code by A.A.A. regarding *** EM-
PRESA.2 and in direct relationship with *** COMPANY.1 of which it has been and is representing
you actually.


The company *** EMPRESA.2, detected that the defendant, carried out work for companies
sas of the competition, during the period in which he was as agent, and
He was the de facto administrator of the entity *** COMPANY. 2. The defendant today,
while he was the agent of the company *** COMPANY.2, created a shell company,
*** COMPANY.1, through a single partner and administrator, D.D.D. being the object so-

cial and commercial activity of this company, the same as that of my sponsored one. For
This, he made use of reserved information that as a partner and attorney of *** EMPRE-
SA.2, had in the sector.

Specifically, and as noted before, *** COMPANY.2, received on the 2nd of

March 2016. email from the DGT (General Traffic Directorate), in which
It was indicated that after checking the bank details of *** COMPANY.2, these differed
of the usual that consisted in said client.

Later. my client found that the account was owned by A.A.A. and *** EM-

DAM. 1. That is, the account provided by the defendant today to the client of my sponsor-
The purpose of this was to benefit from the amount that would be received from the DGT.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/10








On this occasion, the defendant tried, through deception and confusion of a third party,
in this case the DGT, to appropriate certain amounts that were directed to
my sponsored by the provision of services in the scope of its activity, facilitating

for this, an account number of which he was the owner, apparently, together with the company
*** COMPANY.1, to charge for such services, without it being achieved since by part
From the DGT a certificate was requested for my client to prove the alleged
change of ownership of the account you used regularly.

In the face of unfair competition conducts and under article 6 of the RGPD and 8 of

the LOPD mentioned above. my client has the right to defend himself and to find out until
where fraudulent business practices have come. Data transfers have
been otherwise. those strictly necessary and directly related to their
representation data: name. surname and address not using other data such as your
D.N.I or other data related to your natural person. Being within the norm

therefore by article 19 of the LOPD as business data.

We consider relevant the legal basis by which, according to the article
Article 65 of the LOPD there is no place for the opening of any sanctioning file
because the claim is manifestly unfounded and in accordance with the article
the 74 of the LOPD not to have caused damage to the affected by being protected

our legitimacy for the treatment and transfer of data. in article 6 of the RGPD and
8 of the LOPD, falls within the established legitimate interest. The behavior before-
described above, carried out by the defendant, is included in the crime of fraud of the
Article 248.1 of the current CP. Crime with the aggravation of article 250.1.6º of the CP.


What has been seen so far determines that, if such facts exist. after checking
timely by the consultant, the action of the consultant consisting of communicating to the
prosecutor or judges a possible criminal act would not only be protected by the legislation
protection of data, but would be imposed by procedural legislation.
The requested data transfer would be covered by a law: "(...) if the law contemplates the

birth of an obligation between the parties the necessary corollary is that the law also
It must also consider the need to know the circumstances necessary to
der exercise the subjective rights that arise from said obligation. In consecuense
my client, before the commission of a crime on his person, property or property committed
by a third party, he must be able to know the circumstances necessary to exercise his
rights, and if article 24 of the Constitution recognizes the right to judicial protection

effective, developed, among other rules by the Civil Procedure Law, or the Law
of Criminal Procedure will have to go to these, art. 399 of the LEC or 277 of the
Criminal Procedure Law, to see the circumstances that a decision must have
judicial order. or in this case a complaint and among them, there is, that they have
to state "the data and circumstances of the plaintiff and the defendant, or in this case, that

and the domicile or residence in which they may be located ", so it is
conclude that the transfer of the requested data is covered by the exception
tion provided for in the LOPD and does not require the consent of the interested party.

In the present case. Obligations arise between the parties, according to art. 1089 of the Code

civil (Cc), art.1092 Cc. And art. 1093 Cc. Thus. both the crime and the res-
extra-contractual liability obligations arise between the parties. In the LEC art.
399 establishes the circumstances that the claim must contain: and among them we find
is that the application must state "the data and circumstances of the actor and

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/10








of the defendant and the domicile or residence in which they may be located. "
LECr the exercise of the action is exercised by complaint. according to art. 277
LECr. that requires that the name be recorded in it. surnames and neighborhood

the defendant, that is, the law establishes the need to provide personal data of the
person against whom the complaint is filed in order to be properly identified
(either the name, surname, or other circumstances, photography, tattoos. characteristics
personal cas etc.-). Although in our case in particular, it has only been provided
name, surname and address. Basic data.


The transfer of data has a legitimate interest: A second possibility that excepts
the need for the consent of the interested party is constituted by the existence of an interest
legitimate interest, provided that in a balancing exercise between said legitimate interest and the
fundamental rights of those affected, the former prevail over the latter.
So. the Judgment of the Court of Justice expressly declared the direct effect of the

Title 7 f) 'of Directive 95/46 / EC. according to which: “Member States shall provide
that the processing of personal data can only be carried out if (...) it is necessary
for the satisfaction of the legitimate interest pursued by the data controller
or by the third party or third parties to whom the data is communicated, provided that it does not prevail
read the interest or the fundamental rights and freedoms of the interested party that requires
They are protected under Article 1 (1) of this Directive ".


The RGPD. considers as a legitimate cause for the processing of data the interest
legitimate according to its article 6.1.f). So. to determine if the application would proceed
of the aforementioned provision, the weighting rule provided therein shall be applied;
that is, it is necessary to assess whether in the specific case under analysis, there will be a

legitimate interest pursued by the data controller or by the third party or third parties
to whom the data is communicated. that prevails over the interest or rights
and fundamental freedoms of the interested party that require protection in accordance with the provisions
put in article 1 of the RGPD. or if, on the contrary, fundamental rights or
Interests of the interested parties to whom the data processing refers must

prevail over the legitimate interest in which the person responsible or the third party intends to
Mention the treatment or transfer of personal data. Before the commission
of a crime, it is clear that the interests of my client prevail and not the other way around. Your-
effective judicial fabric: In the present case. the legitimate interest invoked refers specifically to
cially to the fundamental right to effective judicial protection (art. 24 CE). as far
in which the illegal actions and omissions carried out by the "interested" and included in the

supporting documentation are necessary to file the complaint. The scope of
right to judicial protection in relation to the evidence has been addressed. among other. in
STC 212/2013, of December 16. The scope of the right to judicial protection in relation to
relationship with the test has been addressed. among other. in STC 21212013. of December 16
Cement. in which reference is made, citing STC 88/2014. May 28 at "

intimate relationships of the right to evidence with other rights guaranteed in art.
24 CE. The relationship between the rights to protection of personal data and guardianship
judicial has been. Likewise, analyzed in the Infamous of this AEPD 469/2011 of December 30,
December 2011. in which the following is indicated:


"In this point. It should be remembered that the AEPD has already had the opportunity to analyze the
possible concurrence in a certain case of data processing of the rights
Chos fundamental to the protection of personal data and judicial protection
effective data controller. Thus, it has been considered, for example, that the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/10








treatment by a lawyer of the data of the opposing party of his client finds
its protection in the recognition of the latter by article 24.1 of the Constitution of
their right to effective judicial protection. which implies, according to section 2, the defense

lawyer and the use of the pertinent means of proof for the defense of their right.
The enforceability of the opponent's consent, in this case, A.A.A., for trafficking


of your data, or by your lawyer would mean leaving the warehouse at the disposal of
storage of the necessary information so that your client can fully exercise

their right to effective judicial protection. Thus the lack of these data may logically imply
camente, a reduction in the possibility of contribution by the interested party of "the media
relevant evidence for his defense ”, violating another of the guarantees derived
of the aforementioned right to effective protection and restricting the possibility of obtaining the full
development of this right.


For all of it. Although no provision with the force of Law expressly establishes the
possibility of the treatment by lawyers and solicitors of the data referred to the opposition
of his client within a certain judicial process, it is evident that he
cha possibility brings direct cause of a norm of constitutional rank. regulatory
in addition to one of the fundamental rights and public freedoms enshrined by

the Constitution. and developed by the regulatory laws of each of the Orders
Jurisdictional. in the precepts referring to the representation and defense of the
tes. For all of it. it exists, from our point of view. a legal qualification for the
data processing, which is covered by article 24 of the Constitution.
tion and its implementing rules.


FOURTH: On 07/20/20, the Director of the Spanish Agency for the Protection of
Data agreed to initiate a sanctioning procedure against the claimed entity, by virtue of
the powers established, for failing to comply with the provisions of current regulations and
giving the claimed entity a penalty of 2,000 euros (two thousand euros) for the

fraction of article 6 of the RGPD.

FIFTH: On 07/29/20, the claimed entity has proceeded to pay the
sanction in the amount of 1600 euros (one thousand six hundred euros) making use of one of
the two reductions provided for in the Initiation Agreement transcribed above,
submitting in this Agency writing in which, among others, it is indicated:


“Voluntary payment option without acknowledgment of responsibility:

That in accordance with the provisions of article 85 of the LPACAP, in the case of
that the sanction to be imposed was a fine, may, at any time prior to the

resolution of this procedure, carry out the voluntary payment of the penalty
proposal, which will mean a reduction of 20% of the amount thereof,
equivalent in this case to € 400. With the application of this reduction, the sanction
it would be set at € 1,600 and its payment would imply the termination of the procedure.
The effectiveness will be conditioned to the withdrawal or resignation of any action or
administrative appeal against the penalty. (…)


With the application of this reduction, the penalty would be set at € 1,600, no
recognizes the responsibility on the part of “Cabrera & Gil Abogados and desists

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/10








expressly, of any action or appeal in the administrative channel against the
sanction".








                            FOUNDATIONS OF LAW

                                             I


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in art. 47 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection
is competent to sanction the infractions that are committed against said Regulation-

ment.

                                             II

Article 85 of Law 39/2015, of October 1, on the Administrative Procedure Co-

of the Public Administrations (hereinafter LPACAP), under the heading “Termi-
nation in sanctioning procedures ”provides the following:

"1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.


2. When the sanction is solely of a pecuniary nature or it is possible to impose a
pecuniary sanction and another of a non-pecuniary nature, but the improper
dence of the second, the voluntary payment by the presumed responsible, in any
moment prior to the resolution, will imply the termination of the procedure, except in

Regarding the replacement of the altered situation or the determination of the compensation
tion for damages caused by the commission of the offense.

3. In both cases, when the sanction is solely of a pecuniary nature, the
I win competent to resolve the procedure will apply reductions of, at least, the

20% on the amount of the proposed penalty, these being cumulative among themselves. The
said reductions must be determined in the notification of initiation of the
procedure and its effectiveness will be conditioned to the withdrawal or resignation of
any action or appeal in administrative proceedings against the sanction.


The reduction percentage provided for in this section may be increased by regulation.
mentally. "

In accordance with the above, the Director of the Spanish Agency for the Protection of
Data


                                       RESOLVES:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/10









FIRST: DECLARE the termination of the procedure, PS / 194/2020, in accordance with
with the provisions of article 85 of the LPACAP.

SECOND: NOTIFY this resolution to the entity, CABRERA & GIL

ABOGADOS, S.L.P.

In accordance with the provisions of article 50 of the LOPDGDD, this Re-
solution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
contentious administrative before the Contentious-administrative Chamber of the Audien-

National company, in accordance with the provisions of article 25 and section 5 of the
Additional fourth section of Law 29/1998, of July 13, regulating the Jurisdiction
Contentious-Administrative, within two months from the next day
upon notification of this act, as provided in article 46.1 of the aforementioned Law.



Mar Spain Martí
Director of the Spanish Agency for Data Protection







































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es